Is there a howto on LDAP for authentication with SuSE Proxy Suite FTP Proxy? I have a need to front-end a Corporate FTP Gateway to the Internet for a division. SuSe works great in transparent mode and provides me with a valuable access log. However, now I need to authenticate these users before allowing them through to the Corporate FTP gateway. LDAP looks promising but I can't find any doc on how to set it up. Further, what I have found implies that user attributes are pulled from LDAP but does not indicate that users are authenticated by password. Can someone straighted me out here? Larry Canup Network Security Systems Integrator Raytheon Aircraft 316 676 1797
On Tue, Aug 29, 2000 at 01:24:10PM -0500, Larry Canup wrote:
Is there a howto on LDAP for authentication with SuSE Proxy Suite FTP Proxy?
IMHO not explicitely at the moment. The proxy reads the config keywords (except of the global and LDAP*) as ldap attributes. This are: DestinationAddress, DestinationPort, DestinationTransferMode, DestinationMinPort, DestinationMaxPort, ActiveMinDataPort, ActiveMaxDataPort, PassiveMinDataPort, PassiveMaxDataPort, SameAddress, TimeOut, ValidCommands Just attributes for an "incomming" session, so you can specify and "configure" an ftp server access per user. Volker: we have to provide a objectclass definition here.
I have a need to front-end a Corporate FTP Gateway to the Internet for a division. SuSe works great in transparent mode and provides me with a valuable access log. However, now I need to authenticate these users before allowing them through to the Corporate FTP gateway.
There is no authentification for now, if you use it as an "outgoing" proxy. The problem is, I do not see a way to authenticate a user in "outgoing" sessions... How to do this? You can't use a user name + password the has used to reach an ftp-server (i.e. anonymous as user name for ftp.suse.com)... I don't realy see a benefit in LDAP here... It is not a http(-cache) protokol, that allows this.
LDAP looks promising but I can't find any doc on how to set it up. Further, what I have found implies that user attributes are pulled from LDAP but does not indicate that users are authenticated by password.
I've written a patch some times ago, so the proxy uses an ldap simple bind with password so you do not need to give read rights for anonymous fetches on the ldap server. Volker: do you have the patch?
Can someone straighted me out here?
If you have a idea how to implement a _clean_ user auth here,
let us know...
Gruesse,
Marius Tomaschewski
Thanks for the feedback. My first thoughts are to explore using an authenticating wrapper such as pam_tcpd and set up PAM to use LDAP or SecurID (ACE). This should work since I initiate fwproxy through inetd. The authentication would happen before fwproxy is initiated. This would not be a _clean_ user auth, but would get what I need. Do you know of any other authenticating wrappers that I could look at? Assuming that the server is just used as an authenticating FTP transparent gateway, do you see any major drawbacks. Larry Canup Marius Tomaschewski wrote:
On Tue, Aug 29, 2000 at 01:24:10PM -0500, Larry Canup wrote:
Is there a howto on LDAP for authentication with SuSE Proxy Suite FTP Proxy?
IMHO not explicitely at the moment. The proxy reads the config keywords (except of the global and LDAP*) as ldap attributes. This are:
DestinationAddress, DestinationPort, DestinationTransferMode, DestinationMinPort, DestinationMaxPort, ActiveMinDataPort, ActiveMaxDataPort, PassiveMinDataPort, PassiveMaxDataPort, SameAddress, TimeOut, ValidCommands
Just attributes for an "incomming" session, so you can specify and "configure" an ftp server access per user.
Volker: we have to provide a objectclass definition here.
I have a need to front-end a Corporate FTP Gateway to the Internet for a division. SuSe works great in transparent mode and provides me with a valuable access log. However, now I need to authenticate these users before allowing them through to the Corporate FTP gateway.
There is no authentification for now, if you use it as an "outgoing" proxy. The problem is, I do not see a way to authenticate a user in "outgoing" sessions...
How to do this? You can't use a user name + password the has used to reach an ftp-server (i.e. anonymous as user name for ftp.suse.com)... I don't realy see a benefit in LDAP here... It is not a http(-cache) protokol, that allows this.
LDAP looks promising but I can't find any doc on how to set it up. Further, what I have found implies that user attributes are pulled from LDAP but does not indicate that users are authenticated by password.
I've written a patch some times ago, so the proxy uses an ldap simple bind with password so you do not need to give read rights for anonymous fetches on the ldap server.
Volker: do you have the patch?
Can someone straighted me out here?
If you have a idea how to implement a _clean_ user auth here, let us know...
Gruesse, Marius Tomaschewski
-- SuSE GmbH, Hamburg --- SuSE Labs, Product Developement PGP public key available: http://www.suse.de/~mt/mt.pgp Fprint: EA 1F 92 75 1A F9 82 07 A1 28 DE 7A 32 E8 97 18
participants (2)
-
Larry Canup
-
Marius Tomaschewski